Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1client32/A...re.dll
windows7-x64
3client32/A...re.dll
windows10-2004-x64
3client32/HTCTL32.dll
windows7-x64
3client32/HTCTL32.dll
windows10-2004-x64
3client32/PCICHEK.dll
windows7-x64
3client32/PCICHEK.dll
windows10-2004-x64
3client32/PCICL32.dll
windows7-x64
3client32/PCICL32.dll
windows10-2004-x64
3client32/client32.exe
windows7-x64
10client32/client32.exe
windows10-2004-x64
10client32/msvcr100.dll
windows7-x64
3client32/msvcr100.dll
windows10-2004-x64
3client32/pcicapi.dll
windows7-x64
3client32/pcicapi.dll
windows10-2004-x64
3Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/10/2024, 17:35 UTC
Static task
static1
Behavioral task
behavioral1
Sample
client32/AudioCapture.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
client32/AudioCapture.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
client32/HTCTL32.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
client32/HTCTL32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
client32/PCICHEK.dll
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
client32/PCICHEK.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
client32/PCICL32.dll
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
client32/PCICL32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
client32/client32.exe
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
client32/client32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
client32/msvcr100.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
client32/msvcr100.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
client32/pcicapi.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
client32/pcicapi.dll
Resource
win10v2004-20241007-en
General
-
Target
client32/PCICL32.dll
-
Size
3.3MB
-
MD5
df45089846f1fcbe66491ff76cf9fc6d
-
SHA1
b3a888033434ef712f3acc11612e8eec41b82d91
-
SHA256
128ad8b4b8f5975ab122564f726a2449e24a043021d2a671750312636a18a358
-
SHA512
30fbeea89e1f0e931a3e53252de12b31da478e61b101173c9819c8d3968bf44672b98c449b07c0728cb25b08e3a879ac146c6950eeec6fc62dfb53f809c95495
-
SSDEEP
49152:BWMA61yiaB6FnebgvDYUEuyiN1MpwYSNGrUqZ9AtXFshTIwiasclST3/:BKCyipe0/hyiN1MpjWWmtXXeSj
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1496 wrote to memory of 3460 1496 rundll32.exe 84 PID 1496 wrote to memory of 3460 1496 rundll32.exe 84 PID 1496 wrote to memory of 3460 1496 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\client32\PCICL32.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\client32\PCICL32.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:3460
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239353595219_1EGLKLHZ1AZFLS6F4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239353595219_1EGLKLHZ1AZFLS6F4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 818674
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A8DC5ECA7DC249AAB41D2B3DFCCACDAF Ref B: LON601060105042 Ref C: 2024-10-24T17:37:42Z
date: Thu, 24 Oct 2024 17:37:42 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418583_14V7XNG13AXXMHR4D&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418583_14V7XNG13AXXMHR4D&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 1145289
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CD30E98A50774340A91CCC8539FB6216 Ref B: LON601060105042 Ref C: 2024-10-24T17:37:42Z
date: Thu, 24 Oct 2024 17:37:42 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388068_1L9UIL4HSMYJDR381&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239339388068_1L9UIL4HSMYJDR381&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 892656
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3FA5CB662A534DF0A3F6E2CB1C92B192 Ref B: LON601060105042 Ref C: 2024-10-24T17:37:42Z
date: Thu, 24 Oct 2024 17:37:42 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239353595220_1KBZRW36PLPFPT43I&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239353595220_1KBZRW36PLPFPT43I&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 790945
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EE6941D85B69434EA0F3E8238DC0D236 Ref B: LON601060105042 Ref C: 2024-10-24T17:37:42Z
date: Thu, 24 Oct 2024 17:37:42 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388069_1LR6CG2CYQVB72KAZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239339388069_1LR6CG2CYQVB72KAZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 866696
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 66628EB28E544F70A070731508184295 Ref B: LON601060105042 Ref C: 2024-10-24T17:37:42Z
date: Thu, 24 Oct 2024 17:37:42 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418584_19MU177BXG1FCVM1K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418584_19MU177BXG1FCVM1K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 906468
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8A880D979E9C4096989D019860488008 Ref B: LON601060105042 Ref C: 2024-10-24T17:37:42Z
date: Thu, 24 Oct 2024 17:37:42 GMT
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request34.197.79.40.in-addr.arpaIN PTRResponse
-
150.171.28.10:443https://tse1.mm.bing.net/th?id=OADD2.10239340418584_19MU177BXG1FCVM1K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90tls, http2193.6kB 5.6MB 4090 4084
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239353595219_1EGLKLHZ1AZFLS6F4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418583_14V7XNG13AXXMHR4D&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388068_1L9UIL4HSMYJDR381&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239353595220_1KBZRW36PLPFPT43I&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388069_1LR6CG2CYQVB72KAZ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418584_19MU177BXG1FCVM1K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200 -
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 133 B 1 1
DNS Request
104.209.201.84.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.28.10150.171.27.10
-
72 B 158 B 1 1
DNS Request
10.28.171.150.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
34.197.79.40.in-addr.arpa